A macOS information-stealing malware can hijack Telegram Desktop classes and compromise cryptocurrency wallets, in line with blockchain safety agency SlowMist.
The malware harvests information from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and databases related to greater than a dozen cryptocurrency wallets.
After amassing passwords and authenticated classes, the malware copies customers’ authenticated Telegram Desktop session information, pockets databases and browser pockets extension information.
SlowMist mentioned attackers can then try and decrypt the stolen pockets databases offline utilizing passwords harvested from the contaminated machine or change legit Ledger and Trezor functions with faux variations that trick customers into getting into their restoration phrases. The safety agency reproduced the assault chain in an remoted setting.
MacOS malware code used to steal keys and passwords. Supply: SlowMist
Associated: AI has not triggered DeFi ‘hackpocalypse,’ Dragonfly accomplice says
MacOS malware targets common crypto wallets
In keeping with SlowMist, the malware combines a number of methods right into a coordinated assault chain, permitting attackers to pursue completely different strategies of compromising cryptocurrency accounts and wallets.
The malware targets software program wallets together with Exodus, Atomic, Electrum, Wasabi and Monero, in addition to {hardware} pockets functions similar to Ledger Dwell and Trezor Suite, in line with SlowMist. It additionally searches for pockets information saved by full-node purchasers together with Bitcoin Core, Litecoin Core, Sprint Core and Dogecoin Core.
Telegram two-step verification doesn’t forestall the assault as a result of the malware reuses an authenticated native session as a substitute of making a brand new login, in line with SlowMist. In exams, researchers restored stolen Telegram Desktop session information on one other Mac with out getting into a cellphone quantity, verification code or two-step verification password.
SlowMist urged customers who suspect their gadgets have been compromised to instantly terminate present Telegram classes, set up a brand new trusted login and alter each their Telegram two-step verification password and Telegram Desktop Passcode. The corporate additionally beneficial producing a brand new restoration phrase on a clear machine and transferring all property to new addresses.
Journal: Does Botanix’s failure show Bitcoiners don’t care about DeFi?

